Virtustream Blog

10 Tips for Securing Your Data in the Hybrid Cloud

Introduction

More enterprises are turning to hybrid cloud solutions, looking to employ the best elements of both private and public cloud environments. According to Gartner, nearly half of large enterprises will have hybrid cloud deployments by the end of 2017 and RightScale’s 2015 State of the Cloud Survey found that 55 percent of enterprises are currently planning for hybrid clouds.

With these increasingly common hybrid deployments, it will be important for enterprises to effectively secure critical data moving forward, minimizing all vulnerabilities, assessing real-time data and meeting industry compliance standards.

Sean Jennings, Co-Founder and SVP of Solutions Architecture at cloud provider Virtustream, says that today’s enterprises can learn many lessons about the unique challenge of securing the hybrid cloud from an unlikely source – ancient Chinese military general Sun-Tzu’s The Art of War.

Develop a strategic plan

“The greatest victory is that which requires no battle.” – Sun Tzu

Before migrating your data, take the necessary time to develop a comprehensive plan for securing it during migration and once in the cloud. By doing so, organizations can avoid worst case scenarios when facing threats in the future. Know what features you require in a cloud provider and have a thorough understanding of how the providers will protect your data.

Be self aware

“Know thyself.” – Sun Tzu

It is important to truly know the cloud environment in which you operate. Understand what your cloud provider does to mitigate risks, how they report incidents and what their plan is to restore and secure data effectively. Know the nature of the data and applications you are migrating to the hybrid cloud, and ensure that the platform of choice is suitable in all material respects.

Be aware of your environment

“Know thy enemy.” – Sun Tzu

It is also important to understand the type of space you are in, what specific threats there are and what, if any breaches, have occurred in your industry. Be able to explain why another company’s data was compromised so you don’t make the same mistakes.

Choose a compliant hybrid cloud

“Invincibility lies in the defence” – Sun Tzu

As a baseline point of analysis, your cloud provider should be fully compliant with the latest security standards and hold certifications widely accepted in the industry, including specific regulatory requirements applicable to your business. You can’t prepare for future threats if your provider isn’t following best practices. Caveat Emptor: be aware that compliance is often a static point in time snapshot.

But don’t rely on standards alone

“The general who wins the battle makes many calculations in his temple before the battle is fought.” – Sun Tzu

Many times, enterprises believe their data is completely safe simply because their hybrid cloud provider is compliant with one industry standard or another. The truth is, 3rd party certification of these standards are a snapshot in time, and sometimes obsolete before the ink dries on the certificate. Certifications are necessary, but not sufficient. Continuous monitoring of compliance is a must.

Embrace transparency

“Balk the enemy’s power; force him to reveal himself.” – Sun Tzu

Your cloud provider should be upfront and open about any emerging risks in the industry, including those directed at their technology stack. You want to know that your data is being protected, what the emerging threats and risks are to your services, and how these threats are mitigated. It is important to have clear understanding and reporting of the provider’s responsibilities and your own.

Use all of your resources

While there are many threats in IT today, there are also just as many tools and techniques to keep your data as safe as possible. Make sure you are using everything at your fingertips to thwart potential security breaches, and insist on a robust cloud platform. As an example, does your provider implement two-factor authentication and role based access controls? Is there continuous monitoring? Is encryption of data at rest available?

Stay one step ahead

“To defeat the enemy, become the enemy.” – Sun Tzu

Your security tools – and your provider’s – should be continuous in nature, probing for weaknesses and changes, giving you a real-time look at how your data is being protected in the hybrid cloud. Always find security vulnerabilities and weak points before potential attackers do.

No two clouds are alike

“If ignorant both of your enemy and yourself, you are certain to be in peril.” – Sun Tzu

While two clouds may share identical certifications, they will almost certainly have different risk profiles. Understand these risk profiles and their effect on your security plan. The threats and risks are dynamic, and so your compliance and security toolsets and services – and those of your providers – must be as well.

Prioritize risk management

After assessing the state of your hybrid cloud environment, you may identify a number of vulnerabilities. That doesn’t mean you need to fix everything at once; identify which vulnerability presents the greatest risk and remediate it first, and completely. Deploy or consume tooling to continually asses the risk profile of your cloud assets.